How to test TLS connection and server certificate
uherbst
Member, Employee Posts: 44 Solace Employee
If you use TLS to secure your connections (and you should use TLS as often as possible), you sometime have issues connecting to your TLS ports.
Here, I will describe a way to debug that.
Try to connect to a port
You're not sure, if your service / port is enabled or (most probably) if all your firewall rules are in place ?
From the client, try to connect to the server port.
Often telnet is recommended. I don't recommend that, because the handling of telnet is a little bit complicated, especially quitting telnet after connecting. I recommend ncfor that:
$ nc -vz 10.71.1.8 8883 Connection to 10.71.1.8 8883 port [tcp/*] succeeded!
Explanation:
-v: Be verbose, output, if connected
-z: Just try to connect and stop, don't send any data
Check TLS server certificate
To see details of the server certificate, use openssl:
[[email protected] ~] $ openssl s_client -connect mr16jp1pl7tfu7.messaging.solace.cloud:55443 CONNECTED(00000005) depth=2 C = US, O = DigiCert Inc, OU = www.digicert.com, CN = DigiCert Global Root CA verify return:1 depth=1 C = US, O = DigiCert Inc, OU = www.digicert.com, CN = Thawte RSA CA 2018 verify return:1 depth=0 C = CA, ST = Ontario, L = Kanata, O = Solace Corporation, CN = *.messaging.solace.cloud verify return:1 --- Certificate chain 0 s:/C=CA/ST=Ontario/L=Kanata/O=Solace Corporation/CN=*.messaging.solace.cloud i:/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=Thawte RSA CA 2018 1 s:/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=Thawte RSA CA 2018 i:/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert Global Root CA --- Server certificate -----BEGIN CERTIFICATE----- MIIGpzCCBY+gAwIBAgIQBpfhPEvol9Rx6KExmHCJ2TANBgkqhkiG9w0BAQsFADBc MQswCQYDVQQGEwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMRkwFwYDVQQLExB3 d3cuZGlnaWNlcnQuY29tMRswGQYDVQQDExJUaGF3dGUgUlNBIENBIDIwMTgwHhcN MTkwOTE5MDAwMDAwWhcNMjEwOTE4MTIwMDAwWjBwMQswCQYDVQQGEwJDQTEQMA4G A1UECBMHT250YXJpbzEPMA0GA1UEBxMGS2FuYXRhMRswGQYDVQQKExJTb2xhY2Ug ... DKszydaiybTA73m8w6YabN2BrpqvkaxA8zrbjeJ30cvgPM0ZzA2JRYnPvjxHQLyd uyQBGQcGAr2U0rjbVixFyFYs2dlXfbAHf7A6 -----END CERTIFICATE----- subject=/C=CA/ST=Ontario/L=Kanata/O=Solace Corporation/CN=*.messaging.solace.cloud issuer=/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=Thawte RSA CA 2018 --- No client certificate CA names sent Server Temp Key: ECDH, P-256, 256 bits --- SSL handshake has read 3392 bytes and written 334 bytes --- New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-GCM-SHA384 Server public key is 2048 bit Secure Renegotiation IS supported Compression: NONE Expansion: NONE No ALPN negotiated SSL-Session: Protocol : TLSv1.2 Cipher : ECDHE-RSA-AES256-GCM-SHA384 Session-ID: Session-ID-ctx: Master-Key: 59FE52516A3EA4A63FAA1EAB8045EE8A0F5813D6F9D83E6A02931BFFEFCA5C382D2C3670655169B097F104F9D8F75577 Start Time: 1607409440 Timeout : 7200 (sec) Verify return code: 0 (ok) ---
What can we see here:
1. Common name of your server: subject=/C=CA/ST=Ontario/L=Kanata/O=Solace Corporation/CN=*.messaging.solace.cloud
2. certificate chain for your certificate:
Certificate chain 0 s:/C=CA/ST=Ontario/L=Kanata/O=Solace Corporation/CN=*.messaging.solace.cloud i:/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=Thawte RSA CA 2018 1 s:/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=Thawte RSA CA 2018 i:/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert Global Root CA
With this information, you know, that you need the certificates for DigiCert Global Root CA and Thawte RSA CA 2018 to validate your server certificate
Comments
A handy tip, @uherbst !